The software supply chain involves developing, maintaining and distributing software to end users. To enhance the functionality of the software being developed, developers frequently depend upon open-source components and libraries. These can be sourced from external vendors like Docker images or open-source projects and in-house providers.

But while third-party vendors are often critical to software functionality, they can also increase risk. A compromised software supply chain could lead to the distribution of malicious software, unauthorized access to sensitive data and potential disruptions to critical systems. As such, securing the software supply chain is crucial to ensure the integrity, confidentiality and availability of applications.

By implementing robust supply chain security practices, organizations can mitigate these risks and ensure the integrity and security of the software they deliver.

Software Bill of Materials Security

A secure software supply chain helps protect against malicious attacks, prevent financial losses, secure user data, ensure business continuity, comply with regulations, mitigate third-party risks and build trust with customers. A software bill of materials (SBOM) is a crucial part of this secure software supply chain.

An SBOM is a list of all the components and libraries that create an application or software. This security aims at identifying vulnerabilities in open-source components that developers often overlook.

SBOM security takes a more comprehensive approach to the software development process, from generating SBOM files for third-party components in the application stack and source code repositories to the continuous integration and continuous delivery (CI/CD) pipeline and container registries and runtime.

With enhanced transparency and vulnerability management, SBOM security aims to counteract potentially devastating cyberattacks. These attacks can result in the distribution of compromised software, unauthorized access, data breaches and system compromise.

Common SBOM Attack Scenarios

SBOM attacks fall into four major categories:

1. Dependency Confusion: The threat actors replace a legitimate software package with malicious code in the public repository. When developers inadvertently use malicious code in software applications, this can compromise the security of the product.

2. Supply Chain Tempering: The SBOM components of the product are analyzed and replaced with malicious content. This can occur at any stage of the software supply chain, such as during the development, build or distribution process. Users then install or activate the software with compromised components, leading to potential security risks.

3. Component Vulnerability Exploitation: Threat actors can compromise a vulnerable component of the SBOM file. A dependency with a known vulnerability can help attackers launch a targeted attack.

4. Trust Chain Attacks: The threat actors compromise trusted components listed in the SBOM update process. This can impact the software’s security and reliability.

Why Do We Need an SBOM in Supply Chain Security?

The rise of cyber threats in open-source components and third-party software is a major concern for supply chain security. SBOM security minimizes the risks that arise due to the use of vulnerable open-source software to develop applications and helps clients and customers of software products.

The Log4j vulnerability, also known as Log4Shell, is a critical security flaw discovered in the Apache Log4j library. This issue impacted applications and organizations all over the globe since Log4j is often integrated into third-party libraries.

Software vendors and open-source projects quickly released patches and updated versions of Log4j to address critical weaknesses. The Log4j vulnerability is categorized as a remote code execution (RCE) vulnerability, which means that an attacker can execute arbitrary code on a targeted system remotely.

Recent security breaches like Apache Log4j have led organizations that develop software to maintain an inventory, known as an SBOM file, of open-source and third-party packages, licenses, versions and patch statuses of vulnerable versions.

The SBOM standard is a unified structure or a generic schema of libraries, versions and other software compositions compatible with available tools, like vulnerability scanners, to identify an unpatched component.

There are two standards widely used by organizations: Software product data exchange (SPDX) and CycloneDX.


The SPDX is a Linux-based international open standard (ISO/IEC 5962:2021) format for communicating the components, licenses, files and copyrights associated with a software package. The SDPX standard is available in the following formats: RDF, XLS, SPDX, YAML and JSON.


CycloneDX is maintained by the Open Web Application Security (OWASP) foundation and is available in XML and JSON formats. It supports a range of development ecosystems and use cases and centers on automation, ease of adoption and SBOM enhancement throughout build pipelines.

Generating SBOMs

Syft is a command-line interface (CLI) tool by Anchore that generates SBOM files from container images or filesystems. Syft can generate an SBOM in any SPDX or CycloneDX format.

To generate a SBOM via Syft:

  1. Install the Syft tool from GitHub –
  2. Run the Syft tool on any Docker image; for example, Cytopia/dvwa vulnerable web app image to generate the SBOM file.

Figure 1. Generating SBOM in SPDX via Syft

Figure 2. Generating SBOM in CycloneDX via Syft

Figure 3. An SBOM created by Syft in CycloneDX format

Trivy can generate the SBOM in both the SPDX and CycloneDX formats.

Steps to generate an SBOM via Trivy:

  1. Install Trivy via the GitHub link –
  2. Run the Trivy tool on any Docker image. For example, Cytopia/dvwa vulnerable web app image to generate the SBOM file.

Figure 4. Generating SBOM in CycloneDX via Trivy

Figure 5. Generating SBOM in SPDX format via Trivy

Vulnerability Scanning With SBOM Files

Trivy can also be used to scan the container images, filesystems and Git repositories to identify vulnerabilities. It is designed to be used in continuous integration. Before pushing to a container registry or deploying an application, Trivy can scan local container images and other artifacts.

Figure 6. Trivy SBOM scan results

Grype is another vulnerability scanner by Anchore, which can identify vulnerabilities from container images and filesystems by scanning SBOM files.

Install the Grype tool via the link and perform the vulnerability scanning on the SBOM file generated by the Syft tool in either the CycloneDX or SPDX format.

Figure 6. Grype SBOM scan results

Note: The above screenshot displays the result of the vulnerability scanner Grype with input as an SBOM file in the CycloneDX format. The result of the scan displays the installed version of the software, vulnerability CVE, severity and fixed version, if available.

Best Practices for Securing the Software Supply Chain

Organizations should implement security measures to protect the integrity and security of their software supply chain and the associated SBOM data. Threat actors can leverage vulnerabilities in the software supply chain or exploit weaknesses in the SBOM inventory.

1. Secure Coding: Awareness among developers regarding secure coding guidelines can minimize the risk of introducing vulnerabilities during development.

2. Secure Build and Deployment: Secure build environments, secure distribution channels and strong authentication mechanisms can protect against unauthorized access and secure sensitive information.

3. Third-Party Management: SBOM scanning can help in evaluating the security of third-party components and libraries before integration into any software.

4. Continuous Monitoring and Incident Management: Implementation of continuous monitoring and detection mechanisms can identify potential threats and respond to incidents in a timely manner.

Use SBOMs to Improve Your Security

An SBOM provides a comprehensive inventory of software components and dependencies used in an application. It improves transparency, vulnerability management, risk mitigation, compliance and collaboration in the software supply chain.

By leveraging SBOMs, organizations can make informed decisions about software security, track and manage components effectively and enhance the overall security and integrity of their software applications.

More from Risk Management

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read

How Application Allowlisting Combats Ransomware Attacks

5 min read - Ransomware attacks are on the rise in both volume and sophistication. Triple extortion (a ransomware attack on one business leading to extortion threats on its business partners) is raising the cost of attacks. Ransomware-as-a-Service puts the means to attack in the hands of smaller criminal entities, making the tactic a commodity and not just the tool of masterminds. It’s no surprise that ransomware attacks are now substantially more expensive to recover from than other types of data breaches. Keeping attackers…

5 min read

All About PowerShell Attacks: The No. 1 ATT&CK Technique

4 min read - How do cyber pros prioritize their security efforts? A good place to start is knowing exactly what tactics, techniques and procedures (TTP) threat actors use. In a recently published report, aggregated data was used to identify the most common attack techniques as defined by the MITRE ATT&CK framework. The study revealed that PowerShell Command & Scripting Interpreter was the number one attack technique used by threat actors. PowerShell is a command-line shell and scripting language that is widely used by…

4 min read